[Bug 1861472] Re: upgrade from fresh bionic to focal needlessly prompts user

Bryce Harrington 1861472 at bugs.launchpad.net
Thu Feb 6 19:28:25 UTC 2020 

Marc's comment #3 seems plausible:

stirling:~/ubuntu/Openssh$  lxc exec u18 -- bash
root at u18:~# md5sum /etc/ssh/sshd_config 
203e9b92fe3623aeba277ee44297f7dd  /etc/ssh/sshd_config
root at u18:~# grep -c 203e9b92fe3623aeba277ee44297f7dd /usr/share/openssh/sshd_config.md5sum
0
root at u18:~# 

Looking at sshd_config on a fresh installed 18.04 lxc and a fresh 20.04,
the sshd_config files do indeed differ by exactly the diff shown during
upgrade (and provided in comment #2).

The md5sum checking was introduced in Debian on Dec 2016 with openssh
(1:7.4p1-1)

  * Start handling /etc/ssh/sshd_config using ucf.  The immediate motivation
    for this is to deal with deprecations of options related to protocol 1,
    but something like this has been needed for a long time (closes:
    #419574, #848089):
    - sshd_config is now a slightly-patched version of upstream's, and only
      contains non-default settings (closes: #147201).
    - I've included as many historical md5sums of default versions of
      sshd_config as I could reconstruct from version control, but I'm sure
      I've missed some.
    - Explicitly synchronise the debconf database with the current
      configuration file state in openssh-server.config, to ensure that the
      PermitRootLogin setting is properly preserved.
    - UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
      than "yes", per upstream.

It's implemented in openssh-server.postinst:

        ...
        ... sed statements to customize $new_config from upstream for debian
        ...
        mkdir -p /etc/ssh
        ucf --three-way --debconf-ok \
                --sum-file /usr/share/openssh/sshd_config.md5sum \
                "$new_config" /etc/ssh/sshd_config
        ucfr openssh-server /etc/ssh/sshd_config

AFAICT the /usr/share/openssh/sshd_config.md5sum is identical on freshly
lxc'd 18.04 and 20.04.

Running the ucf command on a focal lxc container with the 18.04 and
20.04 sshd_config files captured from fresh lxc installs reproduces the
same debconf prompt about the changed config, and then issues this
output:

stirling:~/ubuntu/Openssh/fix-apt-misprompt$ sudo ucf --no-action --three-way --debconf-ok --sum-file /usr/share/openssh/sshd_config.md5sum ./sshd_config.20.04 ./sshd_config.18.04 
[sudo] password for bryce: 
Replacing config file /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04 with new version
cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04 /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04.ucf-old
cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04 /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04
cp -pf /var/lib/ucf/hashfile.6 /var/lib/ucf/hashfile.7
cp -pf /var/lib/ucf/hashfile.5 /var/lib/ucf/hashfile.6
cp -pf /var/lib/ucf/hashfile.4 /var/lib/ucf/hashfile.5
cp -pf /var/lib/ucf/hashfile.3 /var/lib/ucf/hashfile.4
cp -pf /var/lib/ucf/hashfile.2 /var/lib/ucf/hashfile.3
cp -pf /var/lib/ucf/hashfile.1 /var/lib/ucf/hashfile.2
cp -pf /var/lib/ucf/hashfile.0 /var/lib/ucf/hashfile.1
cp -pf /var/lib/ucf/hashfile /var/lib/ucf/hashfile.0
(egrep -v "[[:space:]]\/home\/bryce\/ubuntu\/Openssh\/fix\-apt\-misprompt\/sshd_config\.18\.04$" "/var/lib/ucf/hashfile"
 md5sum "/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04" | sed "s|/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04|/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04|"; 
) | sort > "/var/lib/ucf/hashfile"
cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04 /var/lib/ucf/cache/:home:bryce:ubuntu:Openssh:fix-apt-misprompt:sshd_config.18.04


If I append the bionic sshd_config md5sum to the list and then check against that, no prompt is displayed, with the following output:

$ (cat /usr/share/openssh/sshd_config.md5sum; sudo md5sum sshd_config.18.04  | cut -d' ' -f1) > /tmp/sshd_config.md5sum
$ sudo ucf --no-action --three-way --debconf-ok --sum-file /tmp/sshd_config.md5sum ./sshd_config.20.04 ./sshd_config.18.04 
cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04 /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04
cp -pf /var/lib/ucf/hashfile.6 /var/lib/ucf/hashfile.7
cp -pf /var/lib/ucf/hashfile.5 /var/lib/ucf/hashfile.6
cp -pf /var/lib/ucf/hashfile.4 /var/lib/ucf/hashfile.5
cp -pf /var/lib/ucf/hashfile.3 /var/lib/ucf/hashfile.4
cp -pf /var/lib/ucf/hashfile.2 /var/lib/ucf/hashfile.3
cp -pf /var/lib/ucf/hashfile.1 /var/lib/ucf/hashfile.2
cp -pf /var/lib/ucf/hashfile.0 /var/lib/ucf/hashfile.1
cp -pf /var/lib/ucf/hashfile /var/lib/ucf/hashfile.0
(egrep -v "[[:space:]]\/home\/bryce\/ubuntu\/Openssh\/fix\-apt\-misprompt\/sshd_config\.18\.04$" "/var/lib/ucf/hashfile"
 md5sum "/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04" | sed "s|/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04|/home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.18.04|"; 
) | sort > "/var/lib/ucf/hashfile"
cp -pf /home/bryce/ubuntu/Openssh/fix-apt-misprompt/sshd_config.20.04 /var/lib/ucf/cache/:home:bryce:ubuntu:Openssh:fix-apt-misprompt:sshd_config.18.04

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1861472

Title:
  upgrade from fresh bionic to focal needlessly prompts user

Status in openssh package in Ubuntu:
  Triaged

Bug description:
  Upgrading from a fresh 18.04 LTS install to focal unexpectedly prompts
  for how to handle a change to /etc/ssh/sshd_config

  To reproduce the issue:

  lxc launch ubuntu:18.04 u18
  lxc exec u18 -- bash
  # within container
  do-release-upgrade -d
  # select restart services when prompted

  Eventually you'll be prompted to accept changes to
  /etc/ssh/sshd_config or not because of "local changes".

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: openssh-server 1:8.1p1-5
  ProcVersionSignature: Ubuntu 4.15.0-62.69-generic 4.15.18
  Uname: Linux 4.15.0-62-generic x86_64
  ApportVersion: 2.20.11-0ubuntu16
  Architecture: amd64
  Date: Fri Jan 31 03:37:55 2020
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   LANG=C.UTF-8
  SourcePackage: openssh
  UpgradeStatus: Upgraded to focal on 2020-01-31 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1861472/+subscriptions

More information about the foundations-bugs mailing list